Malware targeted various Saudi public and private organisations, with a focus on petrochemical firms

Trend Micro customers who had installed the latest XGen endpoint security product, which was released in October, were able to protect themselves against Shamoon II, says Ravi Patil, technical director, MMEA at Trend Micro.

Trend Micro also released patches against the malware after receiving samples of Shamoon on the 23rd for those with older version of its solutions, Patil adds. “Trend Micro has also issued a specific tool which can detect the malware if the machine has already not been infected.”

Shamoon II is the latest iteration of the notorious malware that crippled the IT systems of Saudi Aramco four years ago. It resurfaced in November last year, but its effect was muted, until the 23rd when it attacked various Saudi public and private organisations, with a focus on petrochemical firms.

Shamoon is a targeted attack whose modus operandi is to figure out and take over administrative privileges by stealing user-names and passwords, Patil explains. Attackers then deliver their payload and in the case of Shamoon II, made sure it was time-bound and detonated precisely on the 23rd of January.

Once it was detonated, Shamoon II used the stolen credentials to propagate through all the machines in the network. “The malware’s intention was to overwrite the system disk and even wipe out the DR, replacing it with an image,” Patil explains.

There was no data exfiltration from the affected systems or ransomware demands, invalidating a profit motive. The intention seems to have been to cripple the affected systems.

Company Articles

For companies affected by such an attack, there’s no silver bullet to recover, says Patil. The starting point has to be a total reformat of the hard disk and to recover data from backup.

“For future prevention, they need tools such as advanced XGen end point solutions which can pick up signs of such malware.”

Ultimately, organisations need to follow basic security best practices like changing user names and passwords on a regular basis as well as safeguarding access of corporate assets over VPN.

“A lot of this has to do with user education, because these attacks emanate from phishing. With basic security best practices that a company should follow like educating its employees, and specifically non-IT employees who are unaware of such things, a recurrence of such attacks can be avoided,” says Patil.

Shamoon aside, Trend Micro predicts that we will see still a huge growth in ransomware infections in 2017, based on the security trend of last year. Ransomware has become a money making machine for cyber criminals, Patil observes, so expect such attacks to continue.